sumcheck protocol support mixed num_vars monomial form #235
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
hero78119
force-pushed
the
feat/state_circuit
branch
from
ce2a5b1 to
c4e3251
Compare
hero78119
changed the title
hero78119
force-pushed
the
feat/state_circuit
branch
from
f4cf185 to
a076261
Compare
|
@kunxian-xia I plan to study what the minimal change to batching multiple table (or similar) circuit in single create_table_proof after this PR, since each table circuit only contribute one wit-in. The previous blocker for batching them is on |
hero78119
changed the title
hero78119
force-pushed
the
feat/state_circuit
branch
2 times, most recently
from
ab7bb73 to
289bca3
Compare
hero78119
force-pushed
the
feat/state_circuit
branch
from
289bca3 to
9383aaa
Compare
hero78119
commented
Sep 19, 2024
| @@ -418,13 +449,24 @@ impl<'a, E: ExtensionField> IOPProverStateV2<'a, E> { | |||
| let f = &self.poly.flattened_ml_extensions[products[0]]; | |||
| op_mle! { | |||
| |f| { | |||
| (0..f.len()) | |||
| let res = (0..largest_even_below(f.len())) | |||
There was a problem hiding this comment.
The idea behind this is for skip f.len() == 1 assuring we dont need to add extra boundary check in line 455/456 so no performance impact
hero78119
added a commit
that referenced
this pull request
Sep 30, 2024
### Goal
To make sumcheck protocol support different num_vars, aiming for
- [x] minimal change to sumcheck protocol, make verifier remain the
same. no extra meta data passed from prover, and what prover have just
mle and it's eval size
Besides this PR also remove some parallism in verifier since it's
unnecessary for relative low cost.
### design rationale
(Also comments in codebase for reference)
To deal with different num_vars, we exploit a fact that for each product
which num_vars < max_num_vars,
for it evaluation value we need to times 2^(max_num_vars - num_vars)
E.g. Giving multivariate poly $f(X) = f_1(X1) + f_2(X), X1 \in {F}^{n'},
X \in {F}^{n}, |X1| := n', |X| = n, n' <= n$
For i round univariate poly, $f^i(x)$
$f^i[0] = \sum_b f(r, 0, b), b \in [0, 1]^{n-i-1}, r \in {F}^{n-i-1}$
chanllenge get from prev rounds
= $\sum_b f_1(r, 0, b1) + f_2(r, 0, b), |b| >= |b1|, |b| - |b1| = n -
n'$
= $2^{(|b| - |b1|)} * \sum_{b1} f_1(r, 0, b1) + \sum_b f_2(r, 0, b)$
same applied on f^i[1]
It imply that, for every evals in f_1, to compute univariate poly, we
just need to times a factor 2^(|b| - |b1|) for it evaluation value
### benchmark
benchmark with ceno_zkvm `riscv_add`, and gkr `keccak` both remain the
same and no impact.
You might see some redundancy coding style, but this is for retain the
best performance. I tried other variants and it impact benchmark results
### scope
Related to #109 #210 ....
To address #126 #127
This enhance protocol features potiential can be used for `range
table-circuit`, `init/final-memory`, `cpu-init/cpu-final halt` to make
selector sumcheck support batching different num_instance witin.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Goal
To make sumcheck protocol support different num_vars, aiming for
Besides this PR also remove some parallism in verifier since it's unnecessary for relative low cost.
design rationale
(Also comments in codebase for reference)$f(X) = f_1(X1) + f_2(X), X1 \in {F}^{n'}, X \in {F}^{n}, |X1| := n', |X| = n, n' <= n$ $f^i(x)$
$f^i[0] = \sum_b f(r, 0, b), b \in [0, 1]^{n-i-1}, r \in {F}^{n-i-1}$ chanllenge get from prev rounds$\sum_b f_1(r, 0, b1) + f_2(r, 0, b), |b| >= |b1|, |b| - |b1| = n - n'$ $2^{(|b| - |b1|)} * \sum_{b1} f_1(r, 0, b1) + \sum_b f_2(r, 0, b)$
To deal with different num_vars, we exploit a fact that for each product which num_vars < max_num_vars,
for it evaluation value we need to times 2^(max_num_vars - num_vars)
E.g. Giving multivariate poly
For i round univariate poly,
=
=
same applied on f^i[1]
It imply that, for every evals in f_1, to compute univariate poly, we just need to times a factor 2^(|b| - |b1|) for it evaluation value
benchmark
benchmark with ceno_zkvm
riscv_add, and gkrkeccakboth remain the same and no impact.You might see some redundancy coding style, but this is for retain the best performance. I tried other variants and it impact benchmark results
scope
Related to #109 #210 ....
To address #126 #127
This enhance protocol features potiential can be used for
range table-circuit,init/final-memory,cpu-init/cpu-final haltto make selector sumcheck support batching different num_instance witin.